Registry – SCCMOG – Deployment Blog

30th November 201830th November 2018

Windows 10 Configure User Experience Offline – MDT SCCM OSD -VBScript

So currently I am working on an Government Education site comprising of just under 40 schools. There was a requirement to remove/hide Microsoft’s Edge browser from the image being rolled out to the users. The reasoning behind this is down to a monitoring tool used by the education department that does not support Edge and therefor policies would be broken…

Anyway I hunted around on our favourite resource for a solution that would not break the image entirely by removing one of it core features.

Eventually I found these 4 registry keys that did the trick:

KEY: HKEY_LOCAL_MACHINE\NewOS\Microsoft\Windows\CurrentVersion\Explorer
Name: DisableEdgeDesktopShortcutCreation 
Value: 1

KEY: HKEY_LOCAL_MACHINE\NewOS\Microsoft\Windows\CurrentVersion\Explorer

Name: DisableEdgeDesktopShortcutCreation

Value: 1

KEY: HKEY_LOCAL_MACHINE\NewOS\Policies\Microsoft\MicrosoftEdge\Main
Name: PreventFirstRunPage
Value: 1

KEY: HKEY_LOCAL_MACHINE\NewOS\Policies\Microsoft\MicrosoftEdge\Main

Name: PreventFirstRunPage

Value: 1

KEY: HKEY_LOCAL_MACHINE\NewOS\Policies\Microsoft\MicrosoftEdge\Main
Name: AllowPrelaunch 
Value: 0

KEY: HKEY_LOCAL_MACHINE\NewOS\Policies\Microsoft\MicrosoftEdge\Main

Name: AllowPrelaunch

Value: 0

KEY: HKEY_LOCAL_MACHINE\NewOS\Policies\Microsoft\MicrosoftEdge\TabPreloader\AllowTabPreloading
Name: AllowTabPreloading 
Value: 0

KEY: HKEY_LOCAL_MACHINE\NewOS\Policies\Microsoft\MicrosoftEdge\TabPreloader\AllowTabPreloading

Name: AllowTabPreloading

Value: 0

Next was to figure out how to inject these into my reference image before it was laid onto the VM for automated customisation. So I remembered a great script by Johan Arwidmark I use all the time for turning off Appx package updates during a reference image capture task sequence (can break sysprep if allowed).

Anyway after a bit of modification to load the Software registry hive offline instead this is what I came up with. There is also some commented out portions here that may come in handy:

Github: Config-Win10-Offline-UE.wsf

MDT Setup

First download the script and save it into you deployment share “Scripts” folder:

J:\<YOUR_DEPLOYMENT_SHARE>\Scripts\Config-Win10-Offline-UE.wsf

1	J:\<YOUR_DEPLOYMENT_SHARE>\Scripts\Config-Win10-Offline-UE.wsf

Then Open up your chosen Task Sequence in MDT and just before the “Inject Drivers” step under the “Post Install Group” and a new “Run Commmand Line Step”.
Name it for example: Configure User Experience
Then use the following command line:

cscript.exe "%SCRIPTROOT%\Config-Win10-Offline-UE.wsf"

1	cscript.exe "%SCRIPTROOT%\Config-Win10-Offline-UE.wsf"

Example:

SCCM Setup

For SCCM you must be using the MDT integration (if you’re not… Start now!), you can make it work without it but I will not cover that here.
Find your current MDT Toolkit Package that is associated with the Task Sequence you would like to configure power settings in.
Open the “Source” location of your toolkit package, then open the scripts folder.

Once inside the scripts folder copy the “Config-Win10-Offline-UE.wsf” into it. Now, update the Package in ConfigMgr.
Next we need to add the step to the task sequence. It must go after a “Use Toolkit Package” step and before your Driver injection step in the task sequence. (If you have a reboot remember to add another use “Toolkit package”.)

Create a new “Run Command Line Step” and add the below command.

cscript.exe "%deployroot%\scripts\Config-Win10-Offline-UE.wsf"

1	cscript.exe "%deployroot%\scripts\Config-Win10-Offline-UE.wsf"

And that is it. Your ConfigMgr or MDT Task sequence is now setup to configure the user environment before the machine boots!

Anyway as always, script is provided as is and if you do mod it, there is a line to add your name.

13th July 2018

Disable RDP Windows 10 PowerShell Script Configuration Baseline SCCM

So I was setting up a KIOSK environment using Windows 10 1709 for a client recently and we wanted to take the route of applying as few GPOs as possible (as it should be in 2018)!

Ensuring that this stayed disabled was something that we decided to deploy using ConfigMgr Configuration Baselines.

So the Check compliance script is as follows:

##################################################################################################################
#
#  Author: Richie Schuster - C5 Alliance - SCCMOG.com
#  Date:   06/07/2018
#  Script: Action-CheckRDPCompliance.ps1
#  Usage: Powershell.exe -ExecutionPolicy Bypass -File .\Action-CheckRDPCompliance.ps1
#
##################################################################################################################

#Variables
$TSRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$TSRegProperty = "fDenyTSConnections"
$RDPTcpRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$RDPTcpRegProperty = "UserAuthentication"

#Set initial values
$TSSet = $True
$RDPTCPSet = $True
$RDPUserinTCPReturn = $True
$RDPUserinUDPReturn = $True
$RDPShadinTCPReturn = $True

#Test fDenyTSConnections state
$TSReturn = (Get-ItemProperty -Path $TSRegPath -Name $TSRegProperty -ErrorAction SilentlyContinue).fDenyTSConnections
If ($TSReturn -eq 1) {
    $TSSet = $false
}

#Test RDP-TCP State
$RDPTCPReturn = (Get-ItemProperty -Path $RDPTcpRegPath -Name $RDPTcpRegProperty -ErrorAction SilentlyContinue).UserAuthentication
If ($RDPTCPReturn -eq 0) {
    $RDPTCPSet = $false
}

#Get Firewall states
$RDPUserinTCPReturn = (Get-NetFirewallRule -Name $RDPUserinTCP -ErrorAction SilentlyContinue).Enabled
$RDPUserinUDPReturn = (Get-NetFirewallRule -Name $RDPUserinUDP -ErrorAction SilentlyContinue).Enabled
$RDPShadinTCPReturn = (Get-NetFirewallRule -Name $RDPShadinTCP -ErrorAction SilentlyContinue).Enabled

#Evaluate and report
If (!($RDPUserinTCPReturn) -and ($RDPUserinUDPReturn) -and ($RDPShadinTCPReturn) -and ($TSSet) -and ($RDPTCPSet)) {
    Write-Host "Compliant!"
}

##################################################################################################################

##################################################################################################################

# Author: Richie Schuster - C5 Alliance - SCCMOG.com

# Date: 06/07/2018

# Script: Action-CheckRDPCompliance.ps1

# Usage: Powershell.exe -ExecutionPolicy Bypass -File .\Action-CheckRDPCompliance.ps1

##################################################################################################################

#Variables

$TSRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"

$TSRegProperty = "fDenyTSConnections"

$RDPTcpRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"

$RDPTcpRegProperty = "UserAuthentication"

#Set initial values

$TSSet = $True

$RDPTCPSet = $True

$RDPUserinTCPReturn = $True

$RDPUserinUDPReturn = $True

$RDPShadinTCPReturn = $True

#Test fDenyTSConnections state

$TSReturn = (Get-ItemProperty -Path $TSRegPath -Name $TSRegProperty -ErrorAction SilentlyContinue).fDenyTSConnections

If ($TSReturn -eq 1) {

$TSSet = $false

}

#Test RDP-TCP State

$RDPTCPReturn = (Get-ItemProperty -Path $RDPTcpRegPath -Name $RDPTcpRegProperty -ErrorAction SilentlyContinue).UserAuthentication

If ($RDPTCPReturn -eq 0) {

$RDPTCPSet = $false

}

#Get Firewall states

$RDPUserinTCPReturn = (Get-NetFirewallRule -Name $RDPUserinTCP -ErrorAction SilentlyContinue).Enabled

$RDPUserinUDPReturn = (Get-NetFirewallRule -Name $RDPUserinUDP -ErrorAction SilentlyContinue).Enabled

$RDPShadinTCPReturn = (Get-NetFirewallRule -Name $RDPShadinTCP -ErrorAction SilentlyContinue).Enabled

#Evaluate and report

If (!($RDPUserinTCPReturn) -and ($RDPUserinUDPReturn) -and ($RDPShadinTCPReturn) -and ($TSSet) -and ($RDPTCPSet)) {

Write-Host "Compliant!"

}

##################################################################################################################

Ok, so now the check script is out the way, here is the remediation script:

##################################################################################################################
#
#  Author: Richie Schuster - C5 Alliance - SCCMOG.com
#  Date:   06/07/2018
#  Script: Action-RemediateRDPCompliance.ps1
#  Usage: Powershell.exe -ExecutionPolicy Bypass -File .\Action-RemediateRDPCompliance.ps1
#
##################################################################################################################

#Variables
$TSRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"
$TSRegProperty = "fDenyTSConnections"
$RDPTcpRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
$RDPTcpRegProperty = "UserAuthentication"

#Remediate and Block RDP
Set-ItemProperty $TSRegPath -Name $TSRegProperty -Value 1 -Force
Set-ItemProperty $RDPTcpRegPath -Name $RDPTcpRegProperty -Value 0 -Force
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

#The End :)
##################################################################################################################

##################################################################################################################

# Author: Richie Schuster - C5 Alliance - SCCMOG.com

# Date: 06/07/2018

# Script: Action-RemediateRDPCompliance.ps1

# Usage: Powershell.exe -ExecutionPolicy Bypass -File .\Action-RemediateRDPCompliance.ps1

##################################################################################################################

#Variables

$TSRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server"

$TSRegProperty = "fDenyTSConnections"

$RDPTcpRegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"

$RDPTcpRegProperty = "UserAuthentication"

#Remediate and Block RDP

Set-ItemProperty $TSRegPath -Name $TSRegProperty -Value 1 -Force

Set-ItemProperty $RDPTcpRegPath -Name $RDPTcpRegProperty -Value 0 -Force

Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

#The End :)

##################################################################################################################

As Always scripts are as is, and if you do use them remeber where you got them from 😉

If you would like to see the setup of this baseline let me know in the comments below.

Cheers,

SCCMOG

5th November 20165th November 2016

Persist all Drivers at Sysprep stage

Ok, So I was capturing a very specific build for a government Audiology department the other day and needed to keep all drivers in the image as there were Hearing Aid and Hearing measurement devices that would need to be operated from these machines.

To do this is quite simple actually, just make sure BEFORE you kick off sysprep, whether that’s through SCCM, MDT or manually that you change these registry keys.

Navigate to:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Sysprep\Settings\sppnp

Keep drivers during sysprep phase.

And then set:

PersistAllDeviceInstalls to 1 – This will keep all drivers for hardware that is connected to the machine at the time of sysprep.
DoNotCleanUpNonPresentDevices to 1 – This coupled with the above will addtionally keep all drivers for hardware that are not connected to the machine at the time of sysprep.

Note…

If you are using an answer file for sysprep configure your answer file to persist the drivers by adding the PersistAllDeviceInstalls setting in the Microsoft-Windows-PnPSysprep and giving it a value of true.